A number of cryptocurrency exchanges have suspended withdrawals and deposits of all ERC20 tokens after potentially discovering a critical bug in twelve of the token standard’s smart contracts.
News of the bug, called batchOverflow, was reported days ago by Coinmonks on Medium, who explains that by analyzing EOS tokens, the team developed an automated system to “scan and analyze Ethereum-based token transfers,” that will alert the developers to any suspicious transfers.
On 4/22/2018, 03:28:52 a.m. UTC, a transfer of an unusually high amount of BEC tokens was made, prompting a deeper dive into related smart contract code. The team’s study showed that the transfer comes from an “in-the-wild” attack that exploits a vulnerability called batchOverflow. In addition the scan revealed that “more than a dozen of ERC20 contracts are also vulnerable” to the bug.
Coinmonks proved the exploit existed by transacting with one of the vulnerable contracts.
In response to the bug, one of the largest cryptocurrency exchanges in the world, OKEX, suspended all ERC20 token deposits to “protect public interest,” releasing this statement:
“We are suspending the deposits of all ERC-20 tokens due to the discovery of a new smart contract bug – ‘BatchOverFlow’. By exploiting the bug, attackers can generate an extremely large amount of tokens, and deposit them into a normal address. This makes many of the ERC-20 tokens vulnerable to price manipulations of the attackers.”
In addition to OKEX, Changelly, HitBTC, Poloniex and others have also followed suit, suspending withdrawals and deposits of ERC20 tokens for customer safety. Poloniex has since re-enabled deposits and withdrawals, but it is not clear what the results of the investigation were.